United Utilities, the water and electricity utility, has warned that quantifying and presenting IT risks in ways that are meaningful to the wider business strategy remains difficult to achieve in sectors such as utilities.
Speaking on a panel at Gartner’s IT Security Summit in London, Neil Dudleston, head of information security at United Utilities, said: “We collect 50-plus risk indicators every month and summarise them. What we find difficult is translating what is meaningful to us in a risk assessment to what is meaningful to the overall business strategy.”
Dudleston said a related area of concern was deciding on the level of action needed to tackle the risk – a decision that would usually only be possible after a full assessment of which parts of the business could be affected.
Government regulations on utility companies’ budgets and operations meant risks had to be calculated a long way in advance, Dudleston said. “We have a five-year cost cycle, and we have to plan for IT projects in the next five-year run and detail them before the cycle begins.
“Risk is part of the decision-making process so sometimes we might have to judge that up to nine years in advance if we start planning a project early in a five-year cost cycle.”
Speaking on the same panel, David Lodge, global head IT risk control at investment bank UBS, agreed that it was difficult to plan ahead when it came to risk. “In general, I think we need better forward looking indicators, rather than just looking at what’s already happened,” he said.
Aligning internal risk audits with compliance checks under such regulatory rules like Sarbanes Oxley and Basel 2 was also a challenge, Lodge said. “I really need a legal team that can tell me exactly what the regulations are and what IT needs to do.”
But Gartner analysts at the event warned there was still little relationship between companies’ internal risk audits and their external reporting.